Noise is a problem. As information security practitioners, we’ve been dealing with the problem of the signal-to-noise ratio for a long time. The solution hasn’t really changed, but the landscape certainly has. Ultimately, what drives noise down and elevates signal is, context.
For his presentation at Black Hat USA, Travis Smith, a fellow Tripwirian, dove into how you can use the open source ELK stack and a few other tricks, to add valuable context to the noise of alerts from network security monitoring tools. The tools at play here are: ELK (Elasticsearch, Logstash and Kibana) along with the open-source BRO NSM and Criticalstack for aggregated threat intelligence.
I won’t spend time here on the code and configurations. You can get that from the slides.
The conclusion, however, is the addition of context to what is traditionally a noisy stream of alerts. Let me be specific here. You get geolocation data on the source and destination, as well as the incorporation of known bad IPs or TOR exit nodes (and other threaty context), and you get them in both visually appealing and actually useful visualizations through Kibana.
That, however, is not the secret sauce. In fact, the secret sauce isn’t even secret. It’s right here: https://github.com/tripwire/tardis
@MrTrav has released an open source framework for performing historical searches using attack signatures. The problem he addresses is fundamentally one of time (thus, TARDIS). When a zero-day is discovered, vendors release a method of detection, but they don’t historically search for compromise, especially if they’re watching network traffic.
Travis’ research takes the data you’ve already collected and uses it to validate if a host was compromised in the past with the attack you just learned how to detect. It’s like information security time travel.
Cool research like this is just one of the reasons Tripwire rocks.
Title image courtesy of ShutterStock